Show simple item record

dc.contributor.author
Ragab, Hany
dc.contributor.author
Milburn, Alyssa
dc.contributor.author
Razavi, Kaveh
dc.contributor.author
Bos, Herbert
dc.contributor.author
Giuffrida, Cristiano
dc.date.accessioned
2021-08-04T12:33:02Z
dc.date.available
2021-08-02T12:40:17Z
dc.date.available
2021-08-03T12:51:52Z
dc.date.available
2021-08-04T12:33:02Z
dc.date.issued
2021-05
dc.identifier.isbn
978-1-7281-8934-5
en_US
dc.identifier.other
10.1109/SP40001.2021.00020
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/498967
dc.description.abstract
Recent transient execution attacks have demonstrated that attackers may leak sensitive information across security boundaries on a shared CPU core. Up until now, it seemed possible to prevent this by isolating potential victims and attackers on separate cores. In this paper, we show that the situation is more serious, as transient execution attacks can leak data across different cores on many modern Intel CPUs. We do so by investigating the behavior of x86 instructions, and in particular, we focus on complex microcoded instructions which perform offcore requests. Combined with transient execution vulnerabilities such as Micro-architectural Data Sampling (MDS), these operations can reveal internal CPU state. Using performance counters, we build a profiler, CrossTalk, to examine the number and nature of such operations for many x86 instructions, and find that some instructions read data from a staging buffer which is shared between all CPU cores. To demonstrate the security impact of this behavior, we present the first cross-core attack using transient execution, showing that even the seemingly-innocuous CPUID instruction can be used by attackers to sample the entire staging buffer containing sensitive data – most importantly, output from the hardware random number generator (RNG) – across cores. We show that this can be exploited in practice to attack SGX enclaves running on a completely different core, where an attacker can control leakage using practical performance degradation attacks, and demonstrate that we can successfully determine enclave private keys. Since existing mitigations which rely on spatial or temporal partitioning are largely ineffective to prevent our proposed attack, we also discuss potential new mitigation techniques.
en_US
dc.language.iso
en
en_US
dc.publisher
IEEE Computer Society
en_US
dc.title
CrossTalk: Speculative Data Leaks Across Cores Are Real
en_US
dc.type
Conference Paper
ethz.book.title
2021 IEEE Symposium on Security and Privacy (SP)
en_US
ethz.journal.volume
1
en_US
ethz.pages.start
1852
en_US
ethz.pages.end
1867
en_US
ethz.event
42nd IEEE Symposium on Security and Privacy (SP2021)
en_US
ethz.event.location
San Francisco, CA, USA
en_US
ethz.event.date
May 23-27, 2021
en_US
ethz.identifier.scopus
ethz.publication.place
Los Alamitos, CA
en_US
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02140 - Dep. Inf.technologie und Elektrotechnik / Dep. of Inform.Technol. Electrical Eng.::02640 - Inst. f. Technische Informatik und Komm. / Computer Eng. and Networks Lab.::09721 - Razavi, Kaveh / Razavi, Kaveh
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02140 - Dep. Inf.technologie und Elektrotechnik / Dep. of Inform.Technol. Electrical Eng.::02640 - Inst. f. Technische Informatik und Komm. / Computer Eng. and Networks Lab.::09721 - Razavi, Kaveh / Razavi, Kaveh
en_US
ethz.date.deposited
2021-08-02T12:40:22Z
ethz.source
FORM
ethz.eth
yes
en_US
ethz.availability
Metadata only
en_US
ethz.rosetta.installDate
2021-08-04T12:33:08Z
ethz.rosetta.lastUpdated
2022-03-29T10:55:41Z
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=CrossTalk:%20Speculative%20Data%20Leaks%20Across%20Cores%20Are%20Real&rft.date=2021-05&rft.volume=1&rft.spage=1852&rft.epage=1867&rft.au=Ragab,%20Hany&Milburn,%20Alyssa&Razavi,%20Kaveh&Bos,%20Herbert&Giuffrida,%20Cristiano&rft.isbn=978-1-7281-8934-5&rft.genre=proceeding&rft_id=info:doi/10.1109/SP40001.2021.00020&rft.btitle=2021%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)
 Search print copy at ETH Library

Files in this item

FilesSizeFormatOpen in viewer

There are no files associated with this item.

Publication type

Show simple item record